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MEMORANDUM FOR: 


SUBJECT: 


REFERENCE: 


Admiral John M. Poindexter 
Deputy Assistant to the President 
on National Security Affairs 

National Policy on Telecommunications and 
Automated Information Systems Security (U) 

NSC Draft Revision of PD/NSC-24, subject as 
above, dated 3 April 1984 




/*• proposed NSDD does not accurately recognize the DCI's 
statutory responsibilitie 5 and authorities as outlined in Executive Order 
1 2333 dated 4 December 1981; the National Security Act of 1947 as 

Lnnninnr *5® ^ ct , of 1949 » as amended; or other applicable laws 

L 2 n Mc» 9e ° f P nn 9 1 P a1 concerns were discussed with 

of NSA on 17 April 1984 and acceptable language, as outlined in 

to ??p™po;ed a ?h a 1ges? Pe (d) U 1S lw that NSA has agreed 

Attachment* 1 !!* '(JT* “ bel1eVe Sh ° Uld be addressed are noted *" 

SIG(I) SB Vf !nd°t f he h !r? n r' ng • ff0rtS by the Se tretary of Defense, 

DMB, and the DC I to review current policies and procedures in th* 

course s^f 1 action 41 ?? systenls secur1t * area and to recommend future 

systems sL^flS ?» ^fhf e “ S prematu : e t0 inc,ud e automated information 
ystems security in the manner set forth in the DroDosed Nsnn uhiio t 

and^to^i dent? f Gd f0r * V :ons ° lidated effort to leJiTproposeS'stal^ds 


6epot 


"^^John N. McMahon 
■y Director of Central Intelligence 
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As Stated 
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Attachment I 


Page 3, paragraph 4. a. (4) - 

SrSSSsrs* W 

Page 6, paragraph 6.g. - 

Develop and submit to the Steering Group a DroDosed rnMsrr 
consol, dated resources program budget for “Jch fts«l yea? 

Page 6, paragraph 7.b. - 


except 

Centra^Intelllgence? 6 W ' th P °" C, ' eS fo ™ ulated the Director of 
Page 7, paragraph 7.d. - 


hostnr?hrea?s 0 ?o r nl«n^, ur i t f p0Stur ? a ” d disse "™ a te information on 
systems security telecommunications and automated information 


Page 7, paragraph 7.g. - 


Review annually the communicati 
requirements of the departments and 
this to the Executive Agent. 


ons security program and resource 
agencies of the Government and submi 


t 


WARNING NOTICE 
INTELLIGENCE SOURCES 

OR METHODS INVOLVED CONFIDENTIAL 


Sanitized Copy Approved for Release 2010/05/21 : CIA-RDP97M00248R000500170034-1 



, Sanitized Copy Approved for Release 2010/05/21 : CIA-RDP97M00248R000500170034-1 

Attachment II 


1. Pages 4, 5, and 7 - The authority for the publication of 

policies, directives and guidelines is not clearly defined. There is 
ambiguity between paragraphs 5.b.(l), 5.b.(4), 6, 6.c, and 7.f. These 
paragraphs should be rewritten for clarity. The NCSC charter provides a 
mechanism for the review and coordination of proposed National Policy 
Directives by the heads of departments and agencies prior to 
promulgation. Such a mechanism is implied in paragraph 5.b.(4), but is 
contradicted by paragraphs 6, 6.c, and 7.f. (C) 

2. Page 8, paragraph 10. b., change to read: "Provides the NTISSC, 
the Secretary of Defense or the Director, National Security Agency 
authority to examine the facilities of other departments and agencies or 
monitoring official government telecommunications without receiving prior 
approval of the head of such department or agency." (C) 


Orig - Add w/atts 
1 - DCI w/att 
1 - DDCI w/att 
1 - D/Commo w /att 

1 - I ICS w/att 

2 - DDA w/att 


0/DDCI/EA 


(20 Apr 84) 


WARNING NOTICE 
INTELLIGENCE SOURCES 

OR METHODS INVOLVED CONFIDENTIAL 


25X1 

25X1 

25X1 


Sanitized Copy Approved for Release 2010/05/21 : CIA-RDP97M00248R000500170034-1 




Sanitized Copy Approved for Release 2010/05/21 : CIA-RDP97M00248R000500170034-1 

UJINC iUtN I 1AL 

Central Intelligence Agency 



Washington, D. C. 20505 



MEMORANDUM FOR: 


SUBJECT: 


REFERENCE : 


Admiral John M. Poindexter 
Deputy Assistant to the President 
on National Security Affairs, 

National Policy on Telecommunications and 
Automated Information Systems/ Security (U) 

NSC Draft Revision of PD/NSC-24, subject as 
above, dated 3 April 1984 


1* The Proposed NSDD does not accurately recognize the DCI 1 s 
statutory responsibilities and authorities as outlined in 
Executive Order 12333, dated 4 December 1981; the National 
Security Act of 1947, as amended; the CfA Act of 1949, as amended; 
or other applicable laws. La ngua ge of principal concerns were 
discussed with[ | df NS A on 17 April 1984 and 

acceptable language, as outlined in At/tachment 1, was developed 
It is my understanding that NS A has agreed to the proposed 
changes. (C) / 

2. Other issues we believe shoi/ld be addressed are noted in 
Attachment 2. (U) 


25X1 


dealn 


I fully support the need f/or an improved approach to 
Lng with problems in telecommunications and information 
systems security and believe we c/an reach agreement on how to deal 
with our immediate concerns. (C / 


25X1 
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Attachment 1 


Page 3, paragraph 4. a. (4) - 

Review and approve consolidated COMSEC Resources Program 
( CRP) and budget proposals. This responsibility does not 
involve those responsibilities connected with the overall NFIP 
budgetargy process. 


Page 6, paragraph 6.g. - 

Develop and submit to the Steering Group a proposed COMSEC 
consolidated resources program budget for each fiscal year. 

Page 6, Paragraph 7.b. - 

Conduct foreign communications security liaison relation- 
ships, except for those foreign liaison relationships conducted 
for intelligence purposes in accordance with policies 
formulated by the Director Central Intelligence. 

Page 7, paragraph 7.d. 

Assess the overall security posture and disseminate 
information on hostile threats to national telecommunications 
and automated information systems security. 

Page 7, paragraph 7.g. 

Review annually the system security program and resources 
requirements of the departments and agencies of the Government 
and submit this to the Executive Agent. 
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Attachment II 


i; Pages 4, 5 and 7 - The authority for the publication of 
policies, directives and guidelines is not clearly defined, 
there is ambiguity between paragraphs 5.b.(l), 5.b.(4), 6 6.c 

h’na'n J^ ese Paragraphs should be rewritten for clarity. 

The NCSC charter provides a mechanism for the review and 
coordination of proposed National Policy Directives by the 
heads of departments and agencies prior to promulgation. Such 
a mechanism is implied in paragraph 5.b.(4), but is 
contradicted by paragraphs 6, 6.c, and 7.f. (C) 


Page 8, paragraph 10. b. change to read; ’’Provides the 


2. w _ 

NTISSC , the Secretary of Defense W**the Director, National 
Security Agency authority to examine the facilities of other 
departments and agencies or monitoring official government 
telecommunications without receiving prior approval of the head 
of such department or agency." (C) 
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MEMORANDUM FOR: Admiral John M. Poindexter 

Deputy Assistant to the President 
on National Security Affairs 
The White House 
Washington, D.C. 20500 

National Policy on Telecommunications and 
Automated Information Systems Security (U) 

NSC Draft Revision of PD/NSC-24, subject as 
above, dated 3 April 1984 


SUBJECT: 

REFERENCE: 


1. The proposed NSDD does not accurately recognize the 
DCI's statutory responsibilities and authorities as outlined in 
Executive Order 12333, dated 4 December 1981; the National 
Security Act of 1947, as amended; the CIA Act of 1949, as 
amended; or other applicable laws. Therefore, the DCI does not 
concur with the draft. During previous discussions of the 
reference, these issues have been pointed out to your staff, 
and I have provided what I feel are workable alternatives to 
the current proposal. Few of these issues have been addressed 
in the attachment to the reference. (C) 

2. I agree with the need to review our national policy on 
the procurement of COMSEC equipment. The technology is avail- 
able to solve many of our COMSEC problems. We need to better 
forecast our COMSEC needs, to provide funding to procure COMSEC 
products which are readily available, and to ensure that COMSEC 
equipment is readily available when required. The heads of 
departments and agencies and program managers have the responsi- 
bility for determining the priorities for COMSEC equipment along 
with their other program and budget submissions to the 
NFIP/NFIB. (C) 
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SUBJECT: National Policy on Telecommunications and Automated 
Information Systems Security (U) 


3. We do not have the technology to solve all of the 
problems in the newer area of computer security. It is not 
clear that we should simply seek a technological solution. 
Policies, procedures and technologies in this area must be 
oriented to a wide spectrum of information security require- 
ments within the Government. While I fully support efforts to 
address the concerns of automated information systems security, 
the pace and extent of the proposed centralization of management 
for this area set forth in the referenced draft is premature. 

(C) 


4. I do not agree with the broad responsibilities for 
automated information systems security given to the Executive 
Agent and the National Manager under the proposed draft. The 
proper role of these positions should be to recommend standards 
and procedures, and to identify products or systems which meet 
those standards. It is the operational managers who have the 
ultimate responsibility for all aspects of security within their 
departments and agencies. It is, therefore, their responsi- 
bility to select, implement and monitor the use of products or 
systems under their control. The DCI manages this for the 
Intelligence Community and specifies the minimum protection 
required for all automated systems processing intelligence 
information. (C) 

5. The establishment of a central technical center to 
assess and disseminate information on hostile threats to 
national telecommunications and automated information systems 
security by the Director, NSA would remove the analysis missions 
from the CIA, DIA, FBI and the Intelligence Community Staff. I 
think this function should be assigned to the DCI. (C) 

6. I support an annual reporting requirement to the 
President on the status of telecommunications and automated 
information security, but I feel that the department and agency 
heads should report to the NSC and the President using a format 
and procedure specified by an executive agent. This would force 
top level managers of departments and agencies to be more 
actively involved in the status of their security posture and 
provide the mechanism for the checks and balances that are 
needed to measure our progress in these areas. (C) 
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SUBJECT: National Policy on Telecommunications and Automated 
Information Systems Security (U) 


7. The DCI is responsible for arrangements with foreign 
governments on intelligence matters. The authorities of NSA to 
conduct such liaison and enter into agreements with foreign 
governments are limited and are to be in accordance with 
policies formulated by the DCI. The role of NSA as the National 
Manager should be to serve as a technical advisor. (C) 

8. I will fully support focused efforts to develop an 
improved approach to dealing with the problems in telecommuni- 
cations and information systems security throughout the 
Government. I believe that we can agree on ways and means to 
deal with our immediate concerns and that we should establish 

an appropriate forum in which to resolve the outstanding issues. 
I will be happy to work with you to accomplish these important 
objectives. (C) 

9. Attached are specific comments on the attachment to the 
reference. (U) 


John N. McMahon 

Deputy Director of Central Intelligence 


Attachment : 
As Stated 
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SUBJECT: National Policy on Telecommunications and Automated 

Information Systems Security (U) 


ORIGINATOR: 



Distribution : 

Orig - Addressee w/att 
1 - DCI w/att 



DDCI w/att 
Executive Registry 
DDA w/att 
D/CO w/att 


w/att 
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SPECIFIC COMMENTS 


1. Page 2 - The introduction to the draft NSDD states: 

"It is intended that the machinery established by this NSDD 
will initially focus on those automated systems which are 
connected to telecommunications transmission systems." The 
body of the NSDD does not follow this statement of intent and 
is all inclusive for automated information systems which 
create, prepare or manipulate information in electronic form 
for purposes other than telecommunications, and includes 
computers, word processing systems and associated equipment. 

The introductory statements should be deleted. 

REASON: The draft NSDD does not acknowledge the existence 

of the DCI -sponsored Computer Security Program and efforts to 
develop safeguards tailored to reduce or eliminate threats and 
vulnerabilities to automated systems processing intelligence 
information. The transfer of this responsibility to NSA, as 
proposed, is unacceptable. 

2. Pages 4, 5 and 7 - The authority for the publication 
of policies, directives and guidance is not clearly defined. 
There is ambiguity between paragraphs 5.b.(l), 5 . b . ( 4) , 6 , 6. c , 
and 7.f 

REASON: These paragraphs should be rewritten for clarity. 
The NCSC Charter provides a mechanism for the review and 
coordination of proposed National Policy Directives by the 
heads of departments and agencies prior to promulgation. Such 
a mechanism is implied in paragraph 5.b.(4), but is 
contradicted by paragraphs 6, 6.c and 7.f. 

3. Page 3 - Paragraph 4. a. (4) - Recommend deletion. 

REASON: The DCI is responsible for the development, with 

the advice of the program managers, departments and agencies 
concerned, the consolidated National Foreign Intelligence 
Program budget. - including the Cryptologic Program. 

4. Page 4 - Paragraph 4. a. (5) - Rewrite as follows: (5) 

On matters pertaining to the protection of intelligence sources 
and methods; conform to applicable laws and the policies and 
directives of the Director of Central Intelligence. 

REASON: Recognize the statutory responsibilities of the 
Director of Central Intelligence to protect intelligence 
sources and methods. 
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5. Page 4 - Paragraph 4.b - Rewrite as follows: b. The 
executive secretary to the systems security Steering Group 
shall be appointed by the Chairman of the National 
Telecommunications and Information Systems Security Committee 
(NTISSC ) . 

REASON: The executive secretary should be responsive to 

the NTISSC membership or he/she could initiate Steering Group 
actions without the knowledge or consent of the chairman of the 
NTISSC and its members. 

6. Page 4 -■ Paragraph 5. a. - Rewrite as follows: a. 

...The Committee shall be chaired by a representative of the 
Secretary of Defense and shall be composed of a voting 
representative of each of the following: 

REASON: Each representative to the NTISSC should be a 

voting member on deliberations by the NTISSC in executive 
session as well as proposed policies and procedures submitted 
to the NTISSC members for consideration. 

7. Page 5 - Paragraph 5.(3) - Delete the parenthesis 
around the expression at the end of the sub -paragraph and 
substitute sponsored for managed in the last line. 

REASON: For clarity and to be consistent with other 

portions of the draft. 

8. Page 5 - Paragraph 5.c. - Rewrite to define the 
missions, functions and membership of the two permanent 
subcommittees . 

REASON: These two permanent subcommittees are, or should 

be, the focal point for developing policies and procedures for 
submission to the NTISSC membership for promulgation as 
National Standards. All members of the NTISSC should be 
represented on the two permanent subcommittees. 

9. Page 5 - Paragraph S.d. - Rewrite as follows: The 
Committee shall have a permanent secretariat composed of 
personnel from the departments and agencies represented on the 
Committee . 

REASON: The Committee should determine the composition of 

the secretariat and who will provide the support facilities. 

10. Page 6 - Paragraph 7. a. - Delete this subparagraph. 
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REASON: Under existing law NSA does not have the authority 

to monitor government telecommunications without the consent of 
the head of the department or agency and the knowledge of the 
persons or users of the system being monitored. 

11. Page 6 - Paragraph 7.b. - Delete this subparagraph. 

REASON: Too broad in scope and does not recognize the DCI 
responsibilities and authorities for arrangements with foreign 
governments on intelligence matters. The authorities for NSA 
to conduct liaison, and reach agreements with foreign 
governments are limited and are to be in accordance with 
procedures formulated by the DCI. 

12. Page 7 - Paragraph 7.d; - Delete this subparagraph. 

REASON: The establishment of ...a central technical center 

to assess and disseminate information on hostile threats to 
national telecommunications and automated information systems 
security and to assess the overall security posture... by NSA, 
would remove the analysis missions from the CIA, DIA, FBI and 
the Intelligence Community Staff. 

13. Page 7 - Paragraph 7.g. - Delete this subparagraph. 

REASON: See paragraph 3, above. 

14. Page 7 - Paragraph 7.h. - Delete this subparagraph. 

REASON: See paragraph 12, above. 

15. Page 7 - Paragraph 8.c. - Delete this subparagraph. 

REASON: See paragraph 12, above. 

16. Page 8 - Paragraph 10. b - Delete this subparagraph. 

REASON: See paragraphs 10 and 12, above. 

17. Page 9 -• Paragraph 11 - Add subparagraph e, as 

follows: e. Government means the Executive Branch of the 

Government of the United States of America. 

REASON: To be consistent with the authorities of Executive 

Orders . 

18. Page 10 - Paragraph 14. Delete this subparagraph. 
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REASON; This paragraph should be combined with 
subparagraph 2.d or paragraph 13. There should be one concise, 
all inclusive statement. 
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